With organisations across the world forced to adapt to mass remote working almost overnight, it could be argued that endpoint security has never been more important.
Indeed, with millions of employees now working from remote locations and new services being rolled out to support them, the traditional security perimeter has vanished before our eyes.
This has created a significant challenge for the security teams tasked with defending their organisations against threats – a challenge made even harder when the tactics and techniques of cybercriminals are constantly evolving. This blog explores the concept of endpoint security, outlines the importance of building an endpoint monitoring capability and examines the options available to help businesses achieve this.
What is endpoint security?
Endpoint security refers to the protection of internet-connected devices against cyber threats. Endpoints could include PCs, workstations, servers, smartphones, tablets and IoT devices.
As the volume and sophistication of cyber threats has evolved, organisations have been forced to re-evaluate endpoint security practices to better protect their businesses. Recent research from the Ponemon Institute suggests that confidence in traditional antivirus solutions is declining, with most solutions estimated to block only 40% of attacks. Antivirus software remains essential but relying on antivirus alone can leave organisations vulnerable to more sophisticated threats such as memory-resident and polymorphic malware.
Effective endpoint security requires more than just signature-based detection techniques. A deeper level of detection that utilises behavioural analytics is now essential to detect threats capable of bypassing traditional network defences. Detecting modern cyber-attacks requires more advanced tools like Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPP).
Why is endpoint security so important?
Allowing employees to seamlessly connect to corporate networks is essential for ensuring they can fulfill their roles, but every device that connects to the network presents its own inherent risk. When employees work from home, they sit outside the reach of the corporate firewall that can monitor and block incoming and outgoing communications to endpoint devices. Many organisations insist that employees connect to a Virtual Private Network (VPN) and while this can offer some protection, ensuring all employees do so with regularity can be challenging.
Endpoint devices have become an attractive target for cybercriminals. They often have unpatched software vulnerabilities and are used by employees that may be susceptible to phishing, the most common attack vector used to target endpoints.
An increasing number of cyber-attacks are designed specifically to target endpoints, seeking to install malware and gain unauthorised access to networks. The proliferation of endpoint devices in recent years has increased the opportunities for adversaries to launch these attacks, and the shift to cloud hosting and SaaS only complicates this issue further. The average cost per breach resulting from an attack on endpoints is over £7 million, more than twice the average cost of a general data breach (Ponemon Institute).
The significant damage and disruption that endpoint breaches can cause makes incident response critical. Endpoint security is important because it can help organisations to reduce incident response times by disrupting and containing attacks earlier in the kill chain. Advanced tools like EDR can help to automate response actions, such as isolating an infected endpoint from a network, thereby ensuring breaches are shut down as quickly as possible.
Gartner predicts that by 2020, 70% of organisations with over 5,000 endpoints will have EDR software installed.
What is endpoint monitoring?
To effectively mitigate endpoint risks, security teams need to establish visibility of all the endpoint devices in an environment and put measures in place to identify and shut down malicious threats that seek to target them.
In practical terms, endpoint monitoring is the collection, aggregation, and analysis of endpoint behaviours across an organisation’s environment to identify signs of malicious activity. This is typically achieved by establishing a baseline of what constitutes normal behaviour and identifying any deviations from it.
EDR technologies help to facilitate endpoint monitoring by capturing important endpoint events such as registry and file changes, using real-time behavioural monitoring to pinpoint suspicious activity.
The challenges of endpoint security monitoring
Early detection of endpoint attacks is vital, but without a team of security experts to manage and monitor EDR and other endpoint monitoring technologies around-the-clock, organisations will be unable to achieve the security outcomes these tools can deliver.
Endpoint monitoring solutions ingest a huge amount of data, and the greater the number of devices and applications that are monitored, the more security alerts that result. This causes growing complexity that can be difficult to manage for in-house teams, who often lack the specialist security training required to make sense of them.
In addition, getting the best from endpoint monitoring technologies like EDR requires good threat intelligence. Out of the box, most EDR solutions won’t provide this, nor the custom rulesets required to proactively identify the latest threats. Specialist security expertise is required to configure and tune chosen technologies and build detection processes tailored to an organisation’s specific risk profile.
Without adequate resources, alert fatigue is inevitable, and expensive technologies can quickly become obsolete. The inevitable consequence of these challenges is an increased exposure to cyber threats. In an attempt to bridge the gap, organisations are increasingly looking for outside help to build endpoint detection and response capabilities.
Managed endpoint monitoring
An endpoint security monitoring service is a useful option for any organisation looking to improve endpoint visibility and quickly elevate its ability to detect, respond to and remediate endpoint security threats.
Critically, enlisting the assistance of an external provider could also help organisations develop a threat hunting capability. By combining manual and machine-assisted techniques to seek out threats that bypass existing defences, threat hunting helps to shut down known and unknown threats in their infancy.
Threat hunting is resource-intensive, requiring a deep understanding of the tactics, techniques and procedures of cybercriminals. Buyers should look for an organisation with not just an established managed security offering, but also a strong level of offensive security expertise to help develop the EDR rulesets required.
Why choose Redscan?
Redscan’s Managed EDR service is designed to ease the challenges of 24/7 endpoint monitoring by supplying the latest technology, around-the-clock SOC expertise and up-to-the-minute threat intelligence for a cost-effective monthly subscription.
Our SOC analysts, engineers and incident responders take care of the deployment, configuration and ongoing management and monitoring of the selected EDR solution. We utilise the latest endpoint telemetry to enhance visibility of advanced attacks and benchmark coverage against the MITRE ATT&CK framework.
By deploying endpoint agents in a matter of minutes and analysing, triaging and prioritising EDR alerts and only communicating those that require our clients’ attention, we help to ease the burden on in-house teams. Our experts utilise their deep understanding of offensive security to develop hundreds of bespoke rules and watchlists, enrich alerts and provide actionable remediation guidance and automated response actions.
